← All comparisons

A free Have I Been Pwned alternative

Have I Been Pwned is the world's breach database - Cactus's password check even runs on its data. What Cactus adds is a plain-language front door: clear results and next steps, in English or French, free, no signup.

What Have I Been Pwned is good at

Have I Been Pwned (HIBP) is where the world checks whether an email address has turned up in a data breach. Australian security researcher Troy Hunt has run it since 2013, and it has indexed billions of breached accounts - free for individuals. You can search your email address and subscribe to "Notify me" alerts for future breaches; businesses can pay for domain monitoring and API access. Its Pwned Passwords database answers billions of queries a month and sits behind password managers and websites everywhere. HIBP isn't really a competitor here - it's the reference point for breach data, and Cactus gladly builds on Troy Hunt's work.

What Cactus does

Cactus gives you two breach checks, in English and French:

  • The email breach check shows whether your address appears in known breaches - with dates and what was exposed. Your address is never stored or logged.
  • The password breach check hashes your password right in your browser and sends only a 5-character fragment (k-anonymity). The password itself never leaves your device.

Every result ends with plain next steps: which password to change first, where to turn on two-factor authentication, and what to do after a password breach. There's also a breach directory you can search in either language. No account, no signup, nothing to install.

Where the data comes from

Credit where it's due. The password check queries HIBP's own Pwned Passwords database - the same data you'd get on HIBP's site. The breach directory merges HIBP's public breach list (shared under a CC BY 4.0 licence) with XposedOrNot, an independent free index. The email lookup runs on XposedOrNot rather than HIBP, so each service may know about a breach the other doesn't. If your search comes back clean on one, run it on the other too.

How they compare

Have I Been Pwned Cactus
Email breach search Yes - the largest index Yes - via XposedOrNot
Password check (k-anonymity) Yes (Pwned Passwords) Yes - same Pwned Passwords data
Alerts for future breaches Yes ("Notify me") No
Domain monitoring / API Yes, incl. paid plans No
Plain-language next steps Brief Step-by-step, beginner-friendly
Cost / signup Free for individuals Free, no signup
Bilingual (EN/FR) No - English only Yes

Which should you use?

If you want the deepest email search, ongoing "Notify me" alerts, or domain monitoring for a business, Have I Been Pwned is the one to bookmark. Cactus gives you the same password check, plus breach lookups explained in plain language with the next steps spelled out - in French as well as English. HIBP's site is English-only; for a francophone parent or friend, Cactus is the version they can actually read.

Try the matching Cactus tools

More comparisons